Port Forwarding on TP-Link AC2600

Hi all,

I've installed OpenWRT 18.06.1 on my TP-Link Archer AC2600. Everything works fine, except port forwarding.

I've set up the firewall as follows:

config redirect                                 
        option target 'DNAT'                    
        option src 'wan'                        
        option dest 'lan'                       
        option proto 'tcp'                      
        option src_dport '22'                   
        option dest_ip '192.168.0.115'       
        option dest_port '22'                   
        option name 'ssh node'

I'm trying to redirect the SSH port to my node, but it doesn't work. Port 22 seems to be blocked.

Am I doing something wrong?

Make sure port 22 is not blocked by your ISP. Some providers block ports by default and you need to apply to open them for you. Quick way to verify, run a tcpdump on your wan interface tcpdump -i pppoe-wan tcp port 22
The redirect snippet is correct.

I guess it's something related to IPv6. I'm trying to disable it on the router, since my node doesn't have IPv6 enabled.

Is it possible to redirect a IPv6 connection to the router to a IPv4 lan IP? If not, how can I disable wan IPv6?

What makes you guess that?
Are you trying to connect from an IPv6 host using the -6 option in SSH?

No, but I think my ISP blocks IPv4 port redirections when using IPv6

Please paste here the /etc/config/network as well the whole config/firewall

Just delete the WAN6 interface...or hit "DISABLE."

/etc/config/network:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdac:8a78:b0d8::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth1.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.0.1'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 0t'

/etc/config/firewall:

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'         
                                 
config rule                            
        option name 'Allow-ICMPv6-Input'
        option src 'wan'                
        option proto 'icmp'             
        list icmp_type 'echo-request'   
        list icmp_type 'echo-reply'    
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'         
        list icmp_type 'time-exceeded'          
        list icmp_type 'bad-header'             
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'    
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'   
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'                 
        option family 'ipv6'                    
        option target 'ACCEPT'                  
                                                
config rule                                     
        option name 'Allow-ICMPv6-Forward'      
        option src 'wan'                        
        option dest '*'                         
        option proto 'icmp'                     
        list icmp_type 'echo-request'           
        list icmp_type 'echo-reply'             
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'         
        list icmp_type 'time-exceeded'          
        list icmp_type 'bad-header'             
        list icmp_type 'unknown-header-type'    
        option limit '1000/sec'                 
        option family 'ipv6'                 
        option target 'ACCEPT'                  
                                                
config rule                                     
        option name 'Allow-IPSec-ESP'           
        option src 'wan'                        
        option dest 'lan'                       
        option proto 'esp'                      
        option target 'ACCEPT'                  
                                                
config rule                                  
        option name 'Allow-ISAKMP'              
        option src 'wan'                        
        option dest 'lan'                       
        option dest_port '500'                 
        option proto 'udp'                      
        option target 'ACCEPT'  

config include                                  
        option path '/etc/firewall.user'        
                                                
config redirect                                 
        option enabled '1'                      
        option target 'DNAT'                    
        option src 'wan'                     
        option dest 'lan'                       
        option proto 'tcp'                      
        option src_dport '22'                   
        option dest_ip '192.168.0.115'         
        option dest_port '22'                   
        option name 'ssh-node'

I just have SSH access to the router

OK, I don't understand why you're telling me that. You just pasted /etc/config/network - so as I noted, just delete WAN6 interface to disable WAN IPv6:

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

Config is correct.

This is irrelevant. Is your ISP using carrier grade nat or blocking in general incoming connections? Do you have a routable public IP on wan interface?

I think that when I use IPv6, my ISP automatically blocks all IPv4 incoming traffic, so I'm not able to connect to port 22.

Instead, I enabled IPv6 on my node, should I add any rule to the router firewall to allow IPv6 incoming connections?

I tried:

config rule
       option 'src' 'wan6'
       option 'proto' 'tcp'
       option 'dest_port' '22'
       option 'dest_ip' '2001:your:servers:global:ipv6:address:####:####'
       option 'family' 'ipv6'
       option 'target' 'ACCEPT'
       option 'dest' 'lan' 

But I'm getting Warning: Section @rule[9] refers to not existing zone 'wan6'

Zone wan includes both wan and wan6 networks.

This doesn't make much sense.

Replace the WAN6 section!!! You just asked to disable/remove it. Just put it back.

If you open IPv6 on your router for SSH access:

• you will have to access your device remotely using an IPv6-capable network, or
• use a tunnel that can do IPv6
• I also advise you not open your router to the outside world without a VPN or SSH keys

It doesn't, but it's how my ISP works.

First I tried to disable WAN6, so I would only have an IPv4 address. Unfortunately it didn't work.

I could add this rule:

config rule
       option 'src' 'wan6'
       option 'proto' 'tcp'
       option 'dest_port' '22'
       option 'dest_ip' '2001:your:servers:global:ipv6:address:####:####'
       option 'family' 'ipv6'
       option 'target' 'ACCEPT'
       option 'dest' 'lan' 

and allow only access to my node IPv6, not globally.

Yes, node is configured to only allow connections using keys, not just password.

Thanks everyone, problem solved!

I don't quite understand this question, as you asked for WAN or WAN6 access to your device. I surmise that you are issued public IPv6 addresses on the WAN6, and that you have public LAN IPs too.

• If you use a non-Public IPv6 address in your rule, it will not work.
• If you use this IPv6 rule, it's unrelated to any IPv4 addressing

Some options to better secure the rule are:

• Know the source network/IP of the IPv6 traffic and specify a SRC IP/range
• Use other time-based/SYN rules or a software like Fail2ban on the server (https://en.wikipedia.org/wiki/Fail2ban)

Ok so after a few tests:

• I'm pretty sure my ISP isn't blocking the port
• I can connect with my server's IPv6
• IPv4 port redirection doesn't work

I made a test using a non-OpenWRT modem and I could reach my server, so I'm pretty sure it's a OpenWRT problem, but I can't find which one

Edit: Okay I found the problem. OpenVPN on my server blocks the port. When OpenVPN is connected, the port is blocked. I just don't understand why connecting thru my local lan using my server's ip address works, and from outside reaching my public ip address doesn't

AAAH! The problem is that you're routing outbound IPv4 traffic over a tunnel, you're not setup to use WAN for connection to the server.

• It would have helped to mention OpenVPN in your first post
• It would have also helped to have shown this in your /etc/config/network

It's not in my /etc/config/network because OpenVPN is only running on my server, it's not in OpenWRT router

I just don't understand why when I'm in my lan I can connect to my server via it's local IP and when I'm outside my lan I can't. The router doesn't redirect the traffic like it was inside the lan?

This isn't a OpenWrt issue then. You likely didn't enable these on the Access Server:

• Should client Internet traffic be routed through the VPN?

AND

• Should clients be allowed to access network services on the VPN gateway IP address?

• When you say "outside your LAN" do you mean with a VPN connection, or using port forward from WAN???
• Are you trying to run OpenVPN on port 22/tcp (I'm not sure how 22/tcp applies to OpenVPN) !!?! If so, can you verify that you're not running 22/tcp anywhere else (SSH ON SERVER, SSH ON ROUTER, etc.)?
• I would try using a port other than 22/tcp
• Did you open the UDP port too!?!?

Lastly, this is wrong in your IPv4 firewall rule:

option src_dport '22'

There should be no source port, only the DEST port 22/tcp should be specified. You don't know what SRC port the client will use.